Security

The AWS Cloud provides a scalable, highly reliable platform that helps customers deploy
applications and data quickly and securely. When you build systems on AWS infrastructure,
security responsibilities are shared between you and AWS. This shared model can reduce
your
operational burden as AWS operates, manages, and controls the components from the
host operating
system and virtualization layer down to the physical security of the facilities in
which the
services operate. In turn, you assume responsibility and management of the guest operating
system (including updates and security patches), other associated applications, as
well as the
configuration of the AWS-provided security group firewall. For more information about
security
on AWS, visit the AWS Security Center.

Security Groups

The security groups created in this solution are designed to control and isolate network
traffic between the AWS Lambda functions, CSR instances, and remote VPN endpoints.
To perform
testing, troubleshooting, or remote configuration, you will need to update the CSR
security
group to allow inbound SSH traffic. We recommend that you review the security groups
and
further restrict access as needed once the deployment is up and running.

In the transit VPC network, all VPN connections originate from the CSR instances.
Therefore, no inbound traffic is necessary other than for access to the CSR instances.
This solution
includes a security group rule that grants access to inbound SSH traffic from the
Cisco
Configurator Lambda function only.

Additional Security Settings

Password authorization is explicitly disabled. The Cisco Configurator Lambda function
generates an SSH key pair, stores it securely in the Amazon S3 bucket, and uses that
key pair
for authentication to access the CSR instances. The Cisco Configurator Lambda function
is
configured to run inside the transit VPC only.

All files in the S3 bucket are encrypted using server-side encryption with AWS KMS
(S3
SSE-KMS). An Amazon S3 bucket policy controls which additional accounts can have access
to the
bucket, and an AWS KMS key policy controls which accounts are authorized to use the
solution-specific customer master key for decryption, therefore enabling those accounts
to
connect their VGWs to the transit VPC network. These policies may be modified manually
to add
additional accounts to the transit VPC network (see Appendix
C for details).

Javascript is disabled or is unavailable in your
browser.

To use the AWS Documentation, Javascript must be
enabled. Please refer to your browser's Help pages for instructions.